Access Control: Add fine-grained access control to explore (#35883)

* add fixed role for datasource read operations * Add action for datasource explore * add authorize middleware to explore index route * add fgac support for explore navlink * update hasAccessToExplore to check if accesscontrol is enable and evalute action if it is * add getExploreRoles to evalute roles based onaccesscontrol, viewersCanEdit and default * create function to evaluate permissions or using fallback if accesscontrol is disabled * change hasAccess to prop and derive the value in mapStateToProps * add test case to ensure buttons is not rendered when user does not have access * Only hide return with changes button * remove internal links if user does not have access to explorer Co-authored-by: Ivana Huckova <30407135+ivanahuckova@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2021-07-02 14:43:12 +02:00
parent ef05596e07
commit 2fd7031102
13 changed files with 150 additions and 34 deletions
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -94,7 +94,12 @@ func (hs *HTTPServer) registerRoutes() {
 	r.Get("/dashboards/*", reqSignedIn, hs.Index)
 	r.Get("/goto/:uid", reqSignedIn, hs.redirectFromShortURL, hs.Index)

-	r.Get("/explore", reqSignedIn, middleware.EnsureEditorOrViewerCanEdit, hs.Index)
+	r.Get("/explore", authorize(func(c *models.ReqContext) {
+		if f, ok := reqSignedIn.(func(c *models.ReqContext)); ok {
+			f(c)
+		}
+		middleware.EnsureEditorOrViewerCanEdit(c)
+	}, accesscontrol.ActionDatasourcesExplore), hs.Index)

 	r.Get("/playlists/", reqSignedIn, hs.Index)
 	r.Get("/playlists/*", reqSignedIn, hs.Index)